[Feature Request] Provide option to notify user of upcoming password expiration

[dstranathan]

Example:

1 User logs into the XCreds login window (specially a AD domain in my example, but could also apply to cloud IdP like Azure, too?)

2 Once authenticated and Desktop/Dock appears, the user is prompted with a small informational dialog box reminding user that his/her password expires in xxx days. No action required, but could offer a button to "update now..."

This would remind users to be proactive and update the their expiring passwords before they expire.

This idea stems from feedback I received regarding the behavior of the login experience of legacy AD binding compared to Xcreds. There is a native Apple login window pref key PasswordExpirationDays (which defaults to 14 days) Example: defaults write /Library/Preferences/com.apple.loginwindow PasswordExpirationDays -int 21 (See https://support.apple.com/lv-lv/guide/directory-utility/ior9dfab7fbd/mac)

One of the reasons this may be useful for XCreds is that users dont see their expiration date in the XCReds menubar without clicking it and looking at the info in the drop-down (which most users won't do very often if at all). NoMAD, on the other hand displayed the expiration date (in days) in the menu bar next to the NoMAD icon, so users were more aware of the date than they might otherwise be when using XCreds.

Bonus request: Provide an optional key to allow the expiration date to be displayed next to the XCReds icon in macOS menu bar (example showExpireDateInMenuBar) like NoMAD.

[twocanoes]

seems intrusive. perhaps a notification in the notification center or an (!) in the menu title?

[dstranathan]

In my experience with NoMD over 5+ years (and ADPassMon for 5 years pervious to NoMAD), I have found that users appreciated the at-a-glance info regarding password expirations.

I think something that really makes this type of functionality useful t my org is nearly all my Mac users are on laptops and travel internationally, and have echoed concerns when their passwords were expiring during travel ("password change anxiety", etc). The downside, as you stated, can be intrusive (especially with the "Shrinkflation" of the MacBook menubar camera notch - less icon real estate these days is a concern).

I think that offering an option to show/hide the expiration could be a great compromise - Im even open to the idea of letting the user decide if they want to show/hide the date (not require it on users who need their menu bar space as a priority).

[dstranathan]

Heres an example of NoMAD's UI - it displays password expiration day by simply performing a mouse-over the menubar app

[twocanoes]

this is more complicated that i first thought and needs further testing. what if password expires is less than 0? Show a countdown if less than a few days? nomad had a bunch of logic that could be added.

Punting to 5.1.

[dstranathan]

Thank you Tim!

Can you confirm: Connecting to AD domain allows XCreds to show when my password is expiring in the app's menu bar as expected, but Azure does not show any expiration info when Im off the AD domain. Is this a limitation of Azure? Or does Xcreds check password expirations at log-in time and or when refreshing tokens? I haven't done a deep-dive on password resets yet (that's going to be my final wave of testing before I widen-out the test groups in prep for production)

Can the ROPG protocol help get this information?

Wondering how users are supposed to know when their passwords are about to expire to avoid lock-outs? My help desk will be very grumpy if we deploy XCreds and nobody has a clue when they are about to expire. (hopefully they are on-prem from time-to-time enough to see this info)

Currently we are still using NoMAD which does show a password expirations date when on-prem - and also caches the info when off-prem, in case a user with a laptop is working remotely for extended periods. Very useful info.

As for your questions, a key to set for 30 or 14 days etc would be useful and then something more aggressive (red text) at ~24 or 48 hours etc (maybe show a red ! in the icon?) Im not sure what to expect if a password has already expired, and I dont recall how NoMAD behaves when this occurs actually.

[twocanoes]

@dstranathan let's meet and discuss. please schedule a meeting on our meeting link.